10 files changed, 180 insertions, 36 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5ee3d733d..56b38cb71 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -43,3 +43,9 @@ jobs:
       run: sudo apt-get install cppcheck
     - name: cppcheck
       run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+  profile-sort:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/README.md b/README.md
index 2bb05a872..6bc24cfbb 100644
--- a/README.md
+++ b/README.md
@@ -154,9 +154,9 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 `````
-## Latest released version: 0.9.62
+## Latest released version: 0.9.64
 
-## Current development version: 0.9.63
+## Current development version: 0.9.65
 
 ### Profile Statistics
 
@@ -191,12 +191,3 @@ Stats:
 
 ### New profiles:
 
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
-multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
-muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
-gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
-penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
-four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
-hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser, kazam, menulibre, musictube, onboard, fractal, mirage, quaternion, spectral, man, psi, smuxi-frontend-gnome, balsa, kube, trojita, cola, twitch, youtube, youtubemusic-nativefier, ytmdesktop, dbus-send, notify-send, qrencode,
-xournalpp, chromium-freeworld, equalx
diff --git a/configure b/configure
index 223db707f..3f4989b00 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.64.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.65.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.64'
-PACKAGE_STRING='firejail 0.9.64'
+PACKAGE_VERSION='0.9.65'
+PACKAGE_STRING='firejail 0.9.65'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -1292,7 +1292,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.64 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.65 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1354,7 +1354,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.64:";;
+     short | recursive ) echo "Configuration of firejail 0.9.65:";;
    esac
   cat <<\_ACEOF
 
@@ -1470,7 +1470,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.64
+firejail configure 0.9.65
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1772,7 +1772,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.64, which was
+It was created by firejail $as_me 0.9.65, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3417,8 +3417,8 @@ if test "x$enable_apparmor" = "xyes"; then :
         HAVE_APPARMOR="-DHAVE_APPARMOR"
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
-$as_echo_n "checking for AA... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
+$as_echo_n "checking for libapparmor... " >&6; }
 
 if test -n "$AA_CFLAGS"; then
     pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3458,7 +3458,7 @@ fi
 
 
 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3485,7 +3485,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
         { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -4801,7 +4801,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.64, which was
+This file was extended by firejail $as_me 0.9.65, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4855,7 +4855,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.64
+firejail config.status 0.9.65
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 1f8770587..670a755b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.64, netblue30@protonmail.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cc4f81fa6..42d690c94 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -142,6 +142,7 @@ blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
 blacklist ${HOME}/.config/Zeal
 blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/abiword
 blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..1355c4337 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +70,27 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
+# private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..43060dd61 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
 
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runnuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+
+# dbus-user none
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 66fdd6496..28a7da404 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.cache/peek
+#whitelist ${HOME}/.cache/peek
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
@@ -31,13 +42,20 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
-# private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin convert,ffmpeg,peek
+disable-mnt
+private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
+private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.own com.uploadedlobster.peek
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.FileManager1
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.Screencast
 dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 9e84623f4..fc8efe089 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/aacs
 noblacklist ${HOME}/.local/share/vlc
 
 include disable-common.inc
@@ -23,6 +24,7 @@ mkdir ${HOME}/.config/vlc
 mkdir ${HOME}/.local/share/vlc
 whitelist ${HOME}/.cache/vlc
 whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.config/aacs
 whitelist ${HOME}/.local/share/vlc
 include whitelist-common.inc
 include whitelist-players.inc
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d16aa2ee9..906d86484 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -307,6 +307,7 @@ gnome-recipes
 gnome-robots
 gnome-schedule
 gnome-screenshot
+gnome-sound-recorder
 gnome-sudoku
 gnome-system-log
 gnome-taquin